[prev in list] [next in list] [prev in thread] [next in thread] 

List:       security-basics
Subject:    RE: Query on audit approach while doing information security audit
From:       "leon" <leon () inyc ! com>
Date:       2001-09-28 13:43:08
[Download RAW message or body]

Hi,

This is probably a better question suited for the pen-test list (this
question has actually already been answered on that list several times
and if you take the time to search the SF archives which rock you will
find the info) but I will take a stab at it.

I would begin by gathering information and documenting (security &
incident response policy, configurations, service packs / patches.)
Configurations of all ip aware devices (switches, routers, firewall &
Ids).

Once you have a good amount of information gathered you can begin to
assess the state of the network.  If they have a security policy you
have something to match up the state of the network against.  If not you
MUST write them one.  I would then begin port scanning & running Nessus.
At that point you should have a good idea of the big holes and what
needs to be patched.

Hope that helps,

Leon

-----Original Message-----
From: Kanikkannanl PN-149709 Dept-corp Audit Div Desg-Asst.Manager
1/421037 Ph-43983/45283 [mailto:lkani@jsr.tatasteel.com] 
Sent: Wednesday, September 26, 2001 1:31 PM
To: security-basics@securityfocus.com
Subject: Query on audit approach while doing information security audit

Hi,

I am in the systems sudit division of a steel manufacturing firm. When I
do information security audit in my company, what should be my audit
approach ?

(1) Should I do it technical component wise, say OS security, database
security , Firewall security, authorisation procedures etc., and then
audit these components.

OR

(2) Identify data clusters and then see all the technical components
relevant to this.

The merit I see in the second approach is that when I give a report on
information secuirty to the customer ( various departments or data
owners
) I will tell him that the confidence that he/she can place on the
security of his/her data.

Whereas in the first approach I will give a one dimensional view of
security of data, may be across the company. But it does not tell how
secure the data is. But it still does give some information on security.

Can you please throw some more light on the pros and cons of these (or
possibly other better ) approaches.

What do you think ?

regards
Kani

[prev in list] [next in list] [prev in thread] [next in thread]